How might this have happened?
- You have authorised an app in Facebook to post on your behalf
- Your have used the same email address and password on another online service and these credentials have been leaked/exfiltrated.
- You are using a weak easily-guessed password for either:
Facebook (this is fixable)
another service such as your mailbox (gmail, outlook etc) that an attacker has used with Facebook’s “forgot password” function (really bad)
your password manager (worst case)
What should I do?
- Change your Facebook password to a temporary one you’ve never used before and isn’t a variation of your previous one.
- Go through the apps you’ve allowed Facebook to use and revoke any you don’t recognise or don’t need any more.
Stop using the same password everywhere
Start using a password manager.
This will ensure you never inadvertently use the same password mire than once. When your login credentials are leaked (because they will be) the damage is then restricted to a single online service which can then be quickly fixed.
- Choose a password manager (such as LastPass, 1Password etc)
- Install it on all your devices. This includes desktops, laptops and mobile devices.
- Make sure your master password is a strong one which you haven’t used before and one you can easily remember. Choose 3 words and jo n them together. Don’t use any words that can be associated with you.
The password manager will install an extension or plugin into all detected browsers on you desktop/laptop. This is used to interact with the password managers central store and to enter your credentials for you into your web pages.
For mobile devices, go to your App Store and install the app for your chosen password manager. This will provide the same functionality on your mobile device.
Use your password manager to protect Facebook.
- Log out and log into into Facebook again.
- Change your password (again) and this time use your password manager to generate and secure a new secure one for you.
Secure your online footprint
Go through all your commonly used online services and all those where you suspect you might have used the same password.
Change your password on each of these services and use your password manager to generate and store a new secure password.
Stop your browser from remembering your passwords
Your chosen password manager now looks after your passwords. Go into your browser settings and disable “remember passwords”.
Purge any passwords your browser has remembered so it’s list is empty.
Go through the browsers on all your devices and make sure this has been done.
Turn on two factor authentication
If an online service allows the use of two factor (or multi factor) authentication, turn it on.
This means an attacker not only needs to KNOW your username and password, they also need to HAVE your mobile device in order to log in as you.